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Introduction. Production processes quality depends largely on 
the management infrastructure, in particular, on the information 
system (IS) effectiveness. Company management pays increas- 
ingly greater attention to the safety protection of this sphere. 
Financial, material and other resources are regularly channeled 
to its support. In the presented paper, some issues on the devel- 
opment of a safety enterprise information system are consid- 
ered. 

Materials and Methods. Protection of the enterprise IS consid- 
ers some specific aspects of the object, and immediate threats to 
IT security. Within the framework of this study, it is accepted 
that IS are a complex of data resources. A special analysis is 
resulted in determining categories of threats to the enterprise 
information security: hacking; leakage; distortion; loss; block- 
ing; abuse. The connection of these threats, IS components and 
elements of the protection system is identified. The require- 
ments of normative legal acts of the Russian Federation and 
international standards regulating this sphere are considered. It 
is shown how the analysis results enable to validate the selec- 
tion of the elements of the IS protection system. 

Research Results. A comparative analysis of the regulatory 
literature pertinent to this issue highlights the following. Differ- 
ent documents offer a different set of elements (subsystems) of 
the enterprise IS protection system. To develop an IS protection 
program, you should be guided by the FSTEC Order No. 239 
and 800-82 Revision 2 Guide to ICS Security. 

Discussion and Conclusions. The presented research results are 
the basis for the formation of the software package of intellec- 
tual support for decision-making under designing an enterprise 
information security system. In particular, it is possible to de- 
velop flexible systems that allow expanding the composition of 
the components (subsystems). 
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Beedenue. KauecTBo MIpOu3BOACTBeHHBIX IIpOleccOB BO MHO- 
TOM 3aBHCHT OT HH(PpacTpyKTypbl yupaBseHHA — B 4acTHOCTH, 
OT 9exTHBHOCTH WHPopMalMoHHOH cuctempr (UC). Me- 
He]~KMeHT KOMHaHHi yelieT Bce OobUIee BHUMaHHe OObectie- 
yeHHIO Oe30MacHOCTH 9TOM ccbepbl, Ha ee NOAAepxKKy perysap- 
HO HalipaBJIAioTcd (MHaHCOBbIe, MaTepHasIbHble WM ~Apyrue 
pecypcpt. B nmpeyctaBieHHol paOoTe paccMOTpeHbI BOTIpPOCch! 
TIOCTpOeCHHA KOMIMIeKCa 3alMTbl HHPOPMalMOHHOM CHCTeMBI 
TpeqnpuaTus. 

Mamepuaaei u memoooi. Oxpana UC npegnpusTua yauTbIBaeT 
ocoOeHHOCTH OObeKTa 3aLIMTbI HW akTyaIbHble yrpo3bl HHop- 
MaljHOHHOM Oe3onmacHocTuH. B pamMKax aHHoro MccreqoBaHHA 
mpHusato, uo MC mpegctapnsaet coOol KommeKc HHPopMaln- 
OHHBIX pecypcos. Ilo pe3ymbTaTaM cleljHabHOrO aHasIM3a 
ompeyeseHbI KaTeropHu yrpo3 HHpopMalHoHHON Oe30nacHo- 
CTH IIpeAMpHATHA: B3JIOM; yTeuKa; HcKaxkeHHe; yTpata; OOKH- 
poBaHue; 30ynoTpeOmeHHe. BaiaBieHa CBA3b JaHHBbIX yIpo3, 
kKomnoHeHToB MC uv sieMeHTOB KOMIIeKca 3alHTbI. PaccmoT- 
peHbI TpeOoBaHHa HOpMaTHBHO-IIpaBOBbIX akTOB PoccuiicKoli 
@Meyepaywu HU Mex] yHAapOAHBIX CTaHapToB, perysIMpyloulux 
qanHyto cibepy. Moxa3zaHo, kakuM o6pa30M pe3ysIbTaTbl JaHHO- 
TO aHasI3a MO3BOJIAIOT OOOCHOBaTb BbIOOp 3ICMCHTOB KOM- 
Tiekca 3amuTbI MC. 

Pe3yiemamel ucciedoeanus. CpaBHUTeIbHbIM aHasiM3 persa- 
MeHTHpyIolel IMTepatTypbl, OTHOCAINelica K aHHOMY BOTIpO- 
CY, HO3BOJIMJI BBIABHT cyleqyroulee. PasHbie JOKYMeHTBI ped - 
WaraioT pa3HbIii HaOop 9dJIeMeHTOB (HOACHCTeM) KOMMIeKca 
3amjuTE MC npegnpuatua. PaspaOaTpiBas WporpaMMy 3allHTbI 
UC, cnenzyer pykosoycrBosatsca IIpuxka3om WCTOK Ne 239 u 
cTaHyapToM 800-82 Revision 2 Guide to ICS Security. 
O6cyacdenue u 3axmouenua. Pe3ynbTaTbl MmpecTaBsIeHHoro 
HCCHeNOBaHHA ABIAIOTCA OCHOBOM Id (OpMupoBaHHA Tmpo- 
TpaMMHOTO KOMIVJIeKca HHTeIICKTYAaIbHON NOAWepxKKH NIpHHsA- 
THA pelleHHi pH MpoeKTHpOBaHH CHCTeMBI 3all[HTbI HHop- 
Mallu Ha pezmpuaTuu. B uacTHocTH, MoxHO pa3paOaTEIBaTb 
THOKHe KOMIVICKChI, MO3BOJIAIOMIHe paclIMpATb COCTaB 9JIEMeH- 
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intellectual support for decision-making when designing an enterprise information security system”. 
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Introduction. Information systems (IS) are increasingly used in the production and management processes. Accord- 
ingly, the problem of cyber security (CS) of IS gets worse. In particular, IS weak isolation simplifies an unauthorized ac- 
cess to them [1, 2, 3]. The consequences of fraudulent attacks on IS may be production downtime, financial losses, and on 
the worst-case scenario — even man-made disasters [4]. Thus, the crucial task is to establish a protective system for the in- 
dustrial IS which could effectively militate against malicious acts. 

Materials and Methods. The development of an information security system is based on the results of a pre-project 
study during which the setup of the asset to be protected and the immediate threats are determined. 

The asset of protection is represented as a set of information resources: 


Object... = {NE,CC, IS, Sts, WS, PE, OS, SS, AS, IP,Sn, RSM, SM, IA}. 

Here, NE is a set of network hardware; CC is a number of communications lines; JS is an array of infrastructure serv- 
ers; Sts a set of data storage systems; WS is number of localhosts; PE is a number of external equipment; OS is an 
array of operating systems; SS' is a set of system software; AS is a set of application software; JP is number of infor- 
mation processes running in the tech companies; Sm is subnets; RSM is a number of removable media; SM _ is electronic 
data storage devices; JA is information assets. 

Number of immediate CS threats Threat is determined [5]: 

Threat = { Breaking, Leak, Distortion, Loss, Blocking, Abuse} . 

Here, Breaking is hacking threats; Leak is information leakage threatening; Distortion is threats of distortion; Loss 
is threats of loss; Blocking is threats of blocking the information resources of a tech company; Abuse is risks of abuse. 

The system which meets these threats is an enterprise IP protection system (ISPS) (Fig. 1). 


ad RSM 


SM 1A 


enterprise ISPS 
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Fig. 1. Security objects — threats relations in ISPS diagram 
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SPI (system of protection of information) is two-tiered, and it includes subsystems (components) [6]: 
— a set of subsystems (Subsystem) of information security; 
— number of information security facilities (MP, means of protection). 

Fig. 2 shows a general form of the ISPS structure. 





Fig. 2. Generalized structure of enterprise ISPS 


When determining the components of the information protection system, experts proceed from the analysis of 
available regulatory documentation and standards operating at the enterprise. International experience should be taken into 
account as well. 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security [1] is widely used in the foreign and 
domestic practice. This standard was developed by the US National Institute of Standards and Technology. It, in particular, 
contains recommendations on improving safety in the industrial inspection systems, including the supervisory control and 
data acquisition systems. It shows how the organizational processes and business functions are subjected to threats, and it 
describes usual vulnerabilities. Special attention is given to security measures and counters that should be undertaken in a 
hostile situation. 

Research Results. Domestic regulatory legal acts (RLA) handling the enterprise IS protection can be conditional- 
ly divided into two categories [6]: 

—RLA on maintenance of information safety of the automatic process control system (APCS); 
- RLA on the security of critical information infrastructure (CII). 

Crucially, vulnerabilities in the CII protection can cause major material and environmental damage. Inadequate 
CII protection is fraught with social and military-political problems. 

Designing the information security system (in particular, when modeling the intellectual support for decision- 
making) requires a preliminary comparative analysis of the profile regulatory legal acts of the Russian Federation. As for 
example, the following documents should be considered: 

— Order no. 31 of the Federal Service for Technology and Export Control (FSTEC of Russia) of March 14, 2014, “On 
Approving Requirements for Providing Information Protection in Automated Control Systems of Production and Techno- 
logical Processes at Critical Objects, Potentially Hazardous Facilities, and Objects posing high threat to life and health of 
people and the environment” [7]; 

— Order no. 239 of FSTEC of Russia of December 25, 2017, “On Approval of Requirements for Ensuring the Security of 

Significant Facilities of the Information Infrastructure of the Russian Federation” (draft) [8]; 
— International standard 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security [9]. 
Comparative analysis of the Orders of FSTEC of Russia no. 31 and no. 239 is presented in Table 1. 
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Table 1 


Elements (subsystems) of enterprise IS protection system in 
Orders of FSTEC no. 31 and no. 239 





FSTEC Order no. 31 of 14.03.14 FSTEC Order no. 239 of 25.12 2017 








Identification and authentication of access subjects and access objects (IAF) 





Access control of access subjects and access objects (UPD) 





Restriction of software environment (OPS) 





Protection of machine-readable media (ZNI) 





Secure event logging (RSB) Security audit (AUD) 





Antivirus protection (AVZ) 


Intrusion detection (OV) Intrusion prevention (PV) 


Protection of information (automated) system and its 








Infosecurity control (analysis) (ANZ) 
components (ZIS) 








Integrity control (OTsL) 





Information assurance (ODT) 





ISPS Subsystems 


Event planning to ensure information protection (PLN) 





Protection of technical facilities and systems (ZTS) 





Security assurance of software development (OBR) Information security incident response (INTs) 





Virtualization environment protection (ZSV) Personnel informing and training (IPO) 








Software update control (OPO) 





Security protection of emergency procedures (DNS) 





Analysis of threats to information security and risks from 





their implementation (UBI) 





Configuration control of data processing system and its security system (UKF) 











Note. For greater clarity, variances are not only placed in different cells, but are also highlighted in gray 








So, FSTEC Order no. 239 provides for the following subsystems in the IS protection system: 
— security audit (AUD); 

— protection of information (automated) system and its components (ZIS); 

— information security incident response (INTs); 

— staff informing and training (IPO). 

It should be mentioned that the decision on the ISPS completeness to a certain extent depends on the financial ca- 
pacities of the enterprise. However, if the cost of the protected resources and the potential damage from hazards is higher 
than the cost of the ISPS, then it makes sense to implement AUD and ZIS. 

Comparative analysis of the FSTEC Order no. 239 of December 25, 2017, and 800-82 Revision 2 Guide to Indus- 


trial Control Systems (ICS) Security is given in Table 2. 
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Table 2 
Elements (subsystems) of enterprise IS protection system in 
FSTEC Order no. 239 of December 25, 2017, and in 800-82 Revision 2 
Guide to Industrial Control Systems (ICS) Security) 





FSTEC Order no. 239 of 25.12.17 800-82 Revision 2 Guide to ICS Security 
Identification and authentication (IAF) 
Identification and authentication 
Access control (UPD) 
System and communications protection, 
Security assessment and authorization 
Restriction of software environment (OPS) System and information integrity 
Protection of machine-readable media (ZNI) 
Media protection 
Security audit (AUD) 
Auditing and accountability 
Antivirus protection (AVZ) System and information integrity 





























Intrusion prevention (hacking) (SOV) Bytom audi iomnatominiehy 





Protection of information (automated) system and its System and information integrity 
components (ZIS) 
Integrity control (OTsL) System and information integrity 











Information assurance (ODT) 
System and services acquisition 





Event planning to ensure information protection (PLN) 
Planning, contingency planning 
Protection of technical facilities and systems (ZTS) 
Maintenance 
Information security incident response (INTs) 
Incident response 
Personnel informing and training (IPO) 
Personnel security 
Organization — wide information security program 
management controls 
Security protection of emergency procedures (DNS) 
Physical and environmental protection 
Awareness and training 
Configuration control (UKF) 
Configuration management 
_ Risk assessment 


ISPS Subsystems 














Software update control (OPO) 























= System and communications protection 











Note. For greater clarity, variances are not only placed in different cells, but are also highlighted in gray. 





In this case, the following differences are most obvious: 
— 800-82 Revision 2 Guide to ICS Security combines the functional of the subsystems of OPS, AVZ, SOV, OTsL, ZIS 
defined in the FSTEC Order, in the subsystem of “System and information integrity”; 
— 800-82 Revision 2 Guide to ICS Security provides a subsystem for the protection of communication systems — “System 
and communications protection”; 
— The FSTEC Order combines the functional of the subsystems “System and communications protection” and “Security 
assessment and authorization” in the “Access control subsystem (UPD)”; 
— The FSTEC Order combines the functional of the “Planning” and “Contingency planning” subsystems in the subsystem 
of “Event planning to ensure information protection (PLN)”; 
— The FSTEC Order combines the functional of the subsystems of “Physical and environmental protection” and “Aware- 
ness and training” in the subsystem of “Security protection of emergency procedures (DNS)”. 

Special mention should be made of the subsystems for risk assessment and protection of communication systems 
[10]. These are the critical items of the enterprise IS protection system among those that are not provided for by domestic 
regulatory documents. Their implementation will enable to enhance protection; to respond promptly to incidents that arise 
in the enterprise IS; to counteract attacks timely and accurately. 


Discussion and Conclusions. The analysis results of the IS protection system components will be used to build a 
model of intellectual support for decision-making when designing the ISPS. Particularly, it is planned to foresee the possi- 
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bility of expanding the ISPS subsystem setup. The selection of the system units will depend on the risk assessment, the ex- 
tent of potential damage by injurious actions, and the cost of the ISPS components. 
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